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Abstract. Five algebraic notions of termination are formalised, analysed and compared: 
wellfoundedness or Noetherity, Lob's formula, absence of infinite iteration, absence of di- 
vergence and normalisation. The study is based on modal semirings, which are additively 
idempotent semirings with forward and backward modal operators. To model infinite be- 
haviours, idempotent semirings are extended to divergence semirings, divergence Kleene 
algebras and omega algebras. The resulting notions and techniques are used in calcu- 
lational proofs of classical theorems of rewriting theory. These applications show that 
modal semirings are powerful tools for reasoning algebraically about the finite and infinite 
dynamics of programs and transition systems. 



1. Introduction 

Idempotent semirings and Kleene algebras are fundamental structures in computer science 
with widespread applications. Roughly, idempotent semirings are rings without subtraction 
and with idempotent addition; Kleene algebras also provide an operation for finite iteration 
or reflexive transitive closure. Initially conceived as algebras of regular events [19], Kleene 
algebras have been extended by tests to model regular programs [20] and by infinite iteration 
to analyse reactive systems [7], program refinement [35] and rewriting systems |3H I32j . 
More recently, modal operators for idempotent semirings and Kleene algebras have been 
introduced [8l [TOl [2^ in order to model properties of programs and transition systems more 
conveniently and to link algebraic and relational formalisms with traditional approaches 
such as dynamic and temporal logics. 
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Here, we propose modal semirings and modal Kleene algebras as tools for termination 
analysis of programs and transition systems: for formalising specifications and calculat- 
ing proofs that involve termination, and for analysing and comparing different notions of 
termination. Benefits of this algebraic approach are simple abstract specifications, concise 
equational proofs, easy mechanisability and connections with automata-based decision pro- 
cedures. Induction with respect to external measures, for instance, is avoided in favour of 
internal fixpoint reasoning. Abstract, point-free, proofs can often be obtained in the algebra 
of modal operators. 

The first contribution is a specification and comparison of five notions of termination 
in modal semirings and modal Kleene algebras. 

(1) We translate the standard set-theoretic notions of Noetherity and wellfoundedness and 
demonstrate their adequacy by several examples. 

(2) We translate Lob's formula from modal logic (cf. [5]) and show its compatibility with 
the set-theoretic notions. We prove this modal correspondence result for a second-order 
frame property entirely by simple equational reasoning. 

(3) We express termination as absence of infinite iteration in omega algebra [7j- This notion 
differs from the set-theoretic one. 

(4) We extend modal semirings to divergence semirings, thus modelling the sources of possi- 
ble nontermination in a state space. The corresponding notion of termination is proved 
compatible with the set-theoretic one. 

(5) We express termination via normalisation. This is again compatible with the set- 
theoretic notion. 

This analysis shows that modal semirings and modal Kleene algebras are powerful tools for 
analysing and integrating notions of termination. Their rich model classes, as investigated 
in |10j . and the flexibility to switch between relation-style and modal reasoning makes the 
present approach more general than previous relation-based \12\ [27] , non- modal [Tj |35] and 
mono-modal ones jl5j which inspired this work. 

The second contribution is an application of our termination techniques in rewriting 
theory, continuing previous research |13| \3T\ [32] on abstract reduction systems. Here, we 
prove the wellfounded union theorem of Bachmair and Dershowitz p] and a variant of 
Newman's lemma for non-symmetric rewriting |30] in modal Kleene algebra and divergence 
Kleene algebra. While the calculational proof of the commutative union theorem is novel, 
that of Newman's lemma requires less machinery than previous ones [121 127] . Together 
with the results from [32] . these exercises show that large parts of abstract reduction can 
conveniently be modelled in variants of modal Kleene algebra. 

The remainder of this text is organised as follows. Section [2] defines idempotent semir- 
ings, tests and modal operators together with their basic properties, symmetries and duali- 
ties. Section [3] adds unbounded finite iteration to yield (modal) Kleene algebras. Section H] 
translates the set-theoretic notion of Noetherity to modal semirings and presents some basic 
properties. Sections [5] to [9] introduce and compare notions of termination based on modal 
logic, omega algebra, divergence semirings and normalisation. In particular, the novel con- 
cepts of divergence semiring and divergence Kleene algebra are introduced in Section [7] and 
a basic calculus for these structures is outlined in Section [8l Section [10] and Section [TT] 
present calculational proofs of the wellfounded union theorem and of Newman's lemma. 
Section [12] uses normalisation to relate confluence properties with normal forms. Section [T3l 
contains a conclusion and an outlook. 
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2. Modal Semirings 

2.1. Idempotent Semirings. We start with the definition of the algebraic structure that 
underhes the other algebras introduced in this paper. 

Definition 2.1. Let S = {S, +, -,0, 1) be an algebra. 

(1) S* is a semiring if 

— (5, +,0) is a commutative monoid, 

— (S*, •, 1) is a monoid, 

— multiplication distributes over addition from the left and right and 

— is a left and right zero of multiplication. 

(2) S is an idempotent semiring if 5 is a semiring and addition is idempotent, that is 
a + a = a. 

We will usually omit the multiplication symbol. Two properties of semirings are particularly 
interesting for our purposes. 

— Every semiring S = (5, +,-,0,1) induces an opposite semiring 5°p = (5, +, -"p, 0, 1) in 
which the order of multiplication is swapped: a b = b ■ a. For every statement that 
holds in a semiring there is a dual one that holds in its opposite. 

— Every idempotent semiring S admits a partial order, the natural order < defined by 
a < b iS a -\- b = b for all a,b S. This turns {S, +) into a semilattice. It is the only 
partial order for which addition is isotone in both arguments and for which is the least 
element. 

Idempotent semirings provide an algebraic model of sequential composition and angelic 
non-deterministic choice of actions. 

Example 2.2. The set 2^'^^^^ of binary relations over a set M forms an idempotent semi- 
ring. Relations serve as a standard semantics for programs and transition systems, and as 
Kripke frames for modal logics. Relational composition o is given by 

{x,y) e Ro S <^ 3z : {x,z) e R A {z, y) e S , 

and Im = {(ojo) |o € M} is the identity relation, while is the empty relation. Then 
REL(M) = (2*^^*^, U, o, 0, /) is an idempotent semiring with set inclusion as the natural 
ordering. □ 

Example 2.3. Another idempotent semiring is formed by the formal languages over an 
alphabet under union and concatenation. Let S* be the set of finite words over some finite 
alphabet S. We denote the empty word by e and the concatenation of words v and w by 
vw. A (formal) language over S is a subset of S*. Concatenation is lifted to languages by 
setting L1.L2 = {vw\v e Li,w e L2}. Then the structure LAN(E) = (2^* , U, ., 0, {e}) is 
an idempotent semiring with language inclusion as its natural ordering. □ 
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2.2. Tests in Semirings. Elements of general idempotent semirings abstractly represent 
sets of transitions. Assertions or sets of states are represented by special elements called 
tests [20] that form a Boolean subalgebra of the idempotent semiring. In the idempotent 
semiring REL(M) of relations, tests can be represented as partial identity relations, that is, 
as elements below the multiplicative unit 1. Join and meet of these elements coincide with 
their sum and product. This motivates the following abstract definition. 

Definition 2.4. A test in an idempotent semiring S is an element p < 1 that has a 
complement relative to 1, that is, there is a q S with p + q = 1 and pq = = qp. The set 
of all tests of S is denoted by test(S'). 

Straightforward calculations show that test(5) is closed under + and ■ and has and 
1 as its least and greatest element. Moreover, the complement of a test p is uniquely 
determined by this definition; we denote it by ^p. Hence test(5') indeed forms a Boolean 
algebra, that is, a complemented distributive lattice. We will consistently write a,b,c. . . for 
arbitrary semiring elements and p,q,r, . . . for tests. We will freely use the standard Boolean 
operations on test(S'), for instance implication p ^ q = ~^p+q and relative complementation 
p — q = p ■ ^q, with their usual laws. We impose that as a unary operator, binds more 
tightly than + or • . 

The above definition of tests deviates slightly from that in [20] in that it does not allow 
an arbitrary Boolean algebra of subidentities as test(S'), but only the maximal complemented 
one. The reason is that the axiomatisation of the modal operators presented below forces 
this anyway (see [TO]). 

2.3. Galois Connections. A Galois connection (cf. j21j ) is a pair of mappings f^:B^A 
and : j4 — > between posets {A, <a) and {B, <b) such that, for all a € A and b ^ B, 

f\b) <Aa^b<B /«(a) . 

The mappings 

and /» are called the lower and upper adjoints of the Galois connection. 
In the remainder we omit the indices of the partial order relations involved. Moreover, 
we will freely use the standard pointwise lifting of partial orders to functions. Lower and 
upper adjoints enjoy many properties. 

(1) f'"{x) = \nf {y : X < P{y)} and /^(y) = sup{x : f^{x) < y}, whence lower and upper 
adjoints uniquely determine each other. 

(2) and satisfy the cancellation properties o /tt < id and id < f'^of^. 

(3) Lower adjoints are completely additive: they preserve all existing suprema. Dually, 
upper adjoints are completely multiplicative: they preserve existing infima. 

Since the function (p-) = Xx.p ■ x on tests is the lower adjoint in the Galois connection 
p-q<r4^q<p^r and the function = Xx .p -\- x on tests is the upper adjoint in 

the Galois connection q — p < r <^ q < p -\- r, we obtain that 

(p-) is completely additive, and is completely multiplicative. (2.1) 

The Galois connection for (p-) is equivalent to the shunting rule 

p ■ q < r <^ p < ^q + r , (shunting) 

which is frequently used in calculations. To facilitate its use we state many assertions of the 
form a = in the equivalent form a < (the reverse inequation < a holds anyway, since 
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is the least element of the respective idempotent semiring). An example is the special case 
r = of shunting, namely p ■ q < p < ^q. 

2.4. Modal Operators. Forward and backward diamond operators can be introduced as 
abstract preimage and image operators on idempotent semirings |24j . 

Definition 2.5. An idempotent semiring is called modal if for every element a € S" there 
are operators \a), {a\ : test(S') test(S') that satisfy the following axioms: 

\a)p < q <^ -^qap < 0, {a\p < q <^ pa^q < 0, (dial) 

\ab)p=\a){\b)p), {ab\p={b\{{a\p). (dia2) 

Let us explain the axioms for the forward diamond. Let a model a set of transitions of a 
system and let the test p represent a subset of the state space on which a acts. Then the 
set r = \a)p represents the set of all states from which there is a transition to p, that is, the 
inverse image of p under a. If r is contained in another set q, then it is impossible to make 
an o-transition from outside q, that is, from the complement -ig, into the set p. In other 
words, ^qap, which represents that part of a that has only transitions from the set ^q into 
the set p, must be empty. This is expressed by (dial). The axiom (dia2) stipulates that 
the forward diamonds behave locally or modularly with respect to composition: the inverse 
image under ab coincides with the inverse image under a of the inverse image under b. 

This axiomatisation is equivalent to the purely equational, domain-based one in |10] . 
since we can define the domain and codomain of an element a as 

dom a = |a)l, cod a = (a|l. 

Conversely, 

\a)p = dom{ap), {a\p = cod{pa). 
Next we define forward and backward box operators as the De Morgan duals of diamonds: 

\a\p = -^\a)^p, [a\p = ^{a\^p. 

Using De Morgan's laws and shunting one obtains the following properties of the box oper- 
ators from (dial) and (dia2): 

p < \o]q pa^q < 0, p < [a\q <^ -^qap < 0, (boxl) 
\ab]p=\a]{\b]p), [ab\p = [b\{[a\p) . (box2) 
The property (boxl) means that the test \a]q represents the set of all states from which all 
transitions (if any) lead into the set q. Hence \a]q is an algebraic version of the weakest- 
liberal-precondition operator [TT]; it can be used for an algebraic treatment of the calculus 
of partial correctness (see |24] and Example 17.81 for a summary). Property (box2) shows 
that also the box operators are well behaved with respect to composition. 
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2.5. Algebra of Modal Operators. The algebra of modal operators over an idempotent 
semiring has been studied in detail in |24j . Here we only present a brief synopsis. 

Clearly, forward and backward operators of the same kind are duals with respect to 
opposition. Moreover, by (dial) and (boxl), boxes and diamonds are adjoints of a Galois 
connection: 

\a)p < q p < [a\q, {a\p < q p < \a]q. (2.2) 

Consequently, diamonds are (completely) additive and strict and boxes are (completely) 
multiplicative and co-strict, in particular, 

\a){p + q) = \a)p + \a)q, {a\{p + q) = {a\p + {a\q, 
\a]{pq) = \a]p ■ \a]q, [«|(m) = WIp ■ [a\q, 

|a)0 = 0, (a|0 = 0, 

|a]l = l, [a|l = l. 

This entails interactions of the operators with subtraction and implication, since every ad- 
ditive endofunction / and every multiplicative endofunction g on a Boolean algebra satisfy, 
for all elements p and q, 

f{p) - f{q) < f{p - q), g{p ^ q) < gip) ^ giq)- (2.3) 

Next we present the behaviour of diamond and box with respect to addition: 

\a + b)p = \a)p + \b)p, {a + b\p = {a\p + {b\p, 
\a + b]p = \a]p ■ \b]p, [a + b\p = [a\p ■ \b\p. 

Finally, we look at tests within boxes and diamonds. For p,q test(5), 

\q)p = qp= {q\p, \q]p = q^p = [q\p. (2.4) 

In particular, 

|0)p = = (0|p, \0]p = 1 = [0\p, 

ll)p = p=(llp, \l]p = p=[p\p. 

2.6. Modal Operators as Semiring Elements. Many properties of modal semirings can 
be expressed more succinctly in the endofunction space test(S') — >■ 1651(5"). The semiring 
operations are lifted pointwise as 

(/ ± g){p) = f{p) ± gip) , (/ n g){p) = f{p) ■ gip) , (/ ■ g)ip) = figip)) 

and likewise for the other Boolean operations. In particular, 1 = jl) = (1| and = jO) = (0| 
are the identity and the constant 0-valued function on tests, respectively. Some immediate 
consequences of the pointwise lifting are the properties 

if±g)h = gh±gh, if H g)h = fhn gh . 

Moreover, we obtain distribution properties such as 

\a + b) = \a) + \b), \a + b] = \a]n\b], (2.5) 

for addition, and covariant and contravariant laws 

\ab) = \a)\b), {ab\ = {b\{a\, (dia2') 

for composition, which we apply tacitly most of the time. 

This lifting yields further interesting operator- level laws. The Galois connections extend 
to endofunctions / and g on test(S'): 

\a)f <g^ f <[a\g, {a\f < g ^ f < \a]g. (2.6) 
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This implies the foUowing cancehation properties: 

\a)[a\ <l<[a\\a), {a\\a] < 1 < \a]{a\. (2.7) 
CanceUation and isotony of the operators allow the following calculation: 

f\a] <g^ f\a]{a\ < g{a\ ^ f < g{a\ =^ f\a] < g{a\\a] =^ f\a] < g . 
A similar derivation works for antitone operators. Hence we have the co-Galois connections 

f\a] < g ^ f < g{a\ if / and g are isotone, 
1^ g f ^ g[ci-\ if / and g are antitone. 
Moreover, diamonds are isotone and boxes are antitone, that is, 

a<b^\a) <\b), and a < b ^ \b] < \a]. (2.8) 
Diamonds and boxes satisfy variants of (|2.3p . that is, 

\a)f -\a)g<\a){f -g), \a]{f ^ g) < \a\f ^ \a]g. (2.9) 

Finally, the above laws entail the following lifting property. 

Proposition 2.6. The set of forward diamonds and the set of backward diamonds in a 
modal semiring each form an idempotent semiring. 

The point-free style and the properties of the operator algebra yield more concise spec- 
ifications and proofs in the following sections. 

3. Modal Kleene Algebras 

Kleene algebras are idempotent semirings with an additional operation of finite iteration. 
Algebras that describe infinite iteration will be defined in Section [6l 

Since the iteration operators will be defined as least or greatest fixpoints, we recapitulate 
some basic facts about these. 

3.1. Elements of Fixpoint Theory. Let / be an endofunction on a poset {A, <). Then 
a € ^ is a pre- fixpoint of / if f{a) < a. The notion of post-fixpoint is order-dual, and a is 
a fixpoint of / if it is both a pre- and a post-fixpoint. The least fixpoint of / is denoted 
fif, and the greatest fixpoints of / is denoted vf, whenever they exist. We write fix . f and 
I'x . f to make the variables in / explicit. 

By definition, if /, g are endofunctions with f < g and the respective fixpoints exist, 
then iif < fig and uf < vg. 

The fixpoint theorem of Knaster and Tarski [33] states that fif and vf exist whenever 
{A, <) is a complete lattice and / is isotone. 

A useful proof rule is the principle of greatest fixpoint fusion (see, for example, [3] for 
the dual principle of least fixpoint fusion). It does not need the assumption of a complete 
lattice. Consider partial orders {A, <a) and [B, <b), and let f : A ^ B, g : A ^ A and 
h : B ^ B he isotone mappings. Assume that / is completely multiplicative, which means 
that / is also the upper adjoint of a Galois connection between A and B, and that fg = hf. 
Then / is also the upper adjoint of a Galois connection between the set of post-fixpoints 
of g and the set of post-fixpoints of h. In particular, if g has a greatest post-fixpoint I'g, 
then h also has a greatest post-fixpoint vh and i^h = f{i^g)- Since fixpoints correspond to 
recursions, this means that / can be fused with the recursion in g into the recursion for I'h. 
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3.2. Kleene Algebras. Operations for finite iteration can be axiomatised in terms of least 
fixpoints. 

Definition 3.1 ([E]). A left-inductive Kleene algebra is a structure (S,*) such that S is 
an idempotent semiring and the star operation * : S ^ S satisfies, for all a,b,c € S, the 
left unfold and left induction axioms 

1 + aa* < a*, 6 + ac < c a*b < c. 

Right-inductive Kleene algebras are their duals with respect to opposition, that is, they 
satisfy the right unfold and right induction axioms 1 + a*a < a* and 6 + ca < c ^ ba* < c. 

By these axioms, a*b = ^ix.b + ax and ba* = iix.b + xa. By isotony of the least fixpoint 
operator ^ therefore the star operation is isotone with respect to the natural order. 

Example 3.2. Extending the relation semiring REL(M) from example 12.21 by a reflex- 
ive transitive closure operation yields a left-inductive Kleene algebra: Define, for all R G 
REL(M), the relation R* as the reflexive transitive closure of i?, that is, R* = IJj>o-^*' 
with R^ = I and = RoR\ We call REL(M) the relational Kleene algebra over M. □ 

Example 3.3. Another left-inductive Kleene algebra is formed by expanding the language 
semiring LAN(S) from Example 12.31 by the Kleene star. The definition is, as usual, L* = 
{wiW2 ■ ■ ■ Wn \n > Q,Wi € L}. We call LAN(S) the language Kleene algebra over S. The 
operations U, . and * are called regular operations, and the sets that can be obtained from 
finite subsets of S* by a finite number of regular operations are called regular subsets or 
regular events of S*. The equational theory of the regular subsets is called algebra of regular 
events. □ 

Proposition 13 . 71 below shows that diamond operators form left-inductive Kleene algebras 
as well. Various further models are discussed in |10| . 

It can be shown that in a left-inductive Kleene algebra the star satisfies aa* = a* a; 
consequently, also the right unfold law 1 -\- a*a < a* holds. 

Definition 3.4. In a left-inductive Kleene algebra, the transitive closure of a is 

o"*" = aa*. 

We will freely use the well known properties of a^ . 

Definition 3.5. |19j A Kleene algebra is a structure that is both a left-inductive and a 
right-inductive Kleene algebra. 

In a Kleene algebra we have o"*" = aa* = a*a. 

Definition 3.6. A Kleene algebra S is called modal if S is a modal semiring. 

It turns out that no extra axiom for the interaction between star and the modal oper- 
ators is needed since the following properties can be shown |10| : 

p + \o)\a*)p = \a*)p, p -\-\a*)\a)p = \a*)p., q + \a)p < p ^ \a*)q < p. (3.1) 

These are used to prove the following statement [23]. 

Proposition 3.7. The set of forward diamonds and the set of backward diamonds in a 
left- inductive modal Kleene algebra each form a left-inductive Kleene algebra. 
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In fact, 1 + \a)\a*) = \a*), 1 + \a*)\a) = \a*) and / + \a)g < g => \a*)f < g hold 
for arbitrary endofunctions / and 5^ on a test algebra. This justifies setting \a)* = \a*). 
Variants for the other modal operators follow by duality. 

As shown in Proposition 2 of [H] , the operator- level left star induction law is equivalent 
to the induction axiom of propositional dynamic logic 

|a)*-l<|a)*(|a)-l). (3.2) 

4. Termination via Noetherity 

In this section we abstract the notions of wellfoundedness and Noetherity from the relation 
semiring REL(M) to modal semirings. In set theory, a relation i? on a set M is wellfounded 
within a subset C M iff every non-empty subset of has an i?-minimal element. It is 
a standard exercise to show that this is equivalent to the absence of infinitely descending 
i?-chains in A. An element of A is i?-minimal in A^ iff it has no i?-predecessor in A, or, 
equivalently, if it is not in the image {R\N of A under R. Abstracting i? to a semiring 
element a and A to a test p leads to the following definition. 

Definition 4.1. For a modal semiring S and a G 5,p € test(S'), the a-minimal part of p 
is miriap = p — {a\p. In point-free style, miria = 1 — {a\. Dually, the a-maximal part is 
maxa = 1 — \a). 

On the one hand, therefore, a is wellfounded iff m'maP is non-empty whenever p is. On 
the other hand, an infinitely descending a-chain corresponds to a p 7^ for which m'maP = 0. 
Absence of infinitely descending a-chains therefore means that is the only p that satisfies 
niriap < 0. 

Since wellfoundedness and Noetherity are dual with respect to opposition, and since 
we are mainly interested in termination, that is, absence of strictly ascending sequences of 
actions, we will restrict our attention to Noetherity. 

Definition 4.2. An element a of a modal semiring S is Noetherian if, for all p € test(S'), 

maxap < ^ p < 0. 
Dually, a is wellfounded if, for all p E test(S'), 

mlUaP < ^ p < 0. 

Similar definitions for related structures have been given in [H \T2\ [T5\ I27j . The following 
result is immediate from the definitions in Section [3.11 

Corollary 4.3. Assume a modal semiring S and a G S,p G test(5). 

(1) maxaP < iff p is a post-fixpoint of the endofunction \a) on test(S'). 

(2) a is Noetherian iff is the unique post-fixpoint of \a), that is, iff for all p E test(5), 

P < \a)p => P < 0. 
We now relate Noetherity and finite iteration. 

Lemma 4.4. Assume a modal Kleene algebra S and a S,p G test(S'). Define the endo- 
function hp : test(5) — > test(S') by hp{x) = p + \a)x. 
(1) fihp = \a*)p. 
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(2) // the greatest fixpoint z^|a) of \a) exists, then the greatest fixpoint vhp exists, too, and 
uhp = fihp + z/|a) . 

(3) With the assumptions of Part if a is Noetherian then hp has the unique fixpoint 
uhp. 

(4) //, for all p, the function hp has a unique fixpoint, then a is Noetherian. 
Proof. 

(1) This follows from 

(2) The proof uses greatest fixpoint fusion (cf. Section [XT]) with f{x) = ^hp + x, g = \a) 
and h = hp. Since / = {^hp+) is completely multiplicative by (|2.ip . it suffices to show 
that fg = hpf. This is implied by star induction (13. ip and additivity of |a) : 

f{g{x)) = \a)*p + \a)x = p + \a)\a)*p + \a)x = p + \a){\a)*p + x) = hp{f{x)). 

(3) If a is Noetherian, then Corollary I4.3r 2) implies that u\a) = 0, and the claim follows 
from (2). 

(4) Uniqueness and (2) imply, for all p, that ^hp = vhp = fxhp + z^|a), which by definition 
of the natural order is equivalent to z/|a) < fxhp. Since for p = we have by definition 
hp = \a), we therefore obtain z^|a) < fih^ = fi\a). But strictness of \a) shows fi\a) = 0.\Z\ 

A similar result for regular algebras appears in Our setting is more general in that we 
do not require completeness of the lattice induced by the natural order. 
We now collect some algebraic properties of max. 

Lemma 4.5. Let S be a modal semiring. Let a,b ^ S and p € test(5'). 

(1) maxa+b = tTiaxa n maxf,. 

(2) maxo = 1. 

(3) maxi = 0. 

(4) maxa |a) < |a) maxa. 

(5) If S is a modal Kleene algebra then max^ |a)* < \a)* maxa. 

(6) a < b ^ max5 < maxa. 

(7) For m = maxa 1 we have m = -idem a = \a]0. Hence ma = and ma* = m. 

(8) maxa* = 0. 

Proof. 

(1) By Boolean algebra, 

maXa+6 = 1 - (|a) + \b)) = (1 - |a)) n (1 - = maxa n maxfo. 

(2) and (3) follow immediately from the definition of max. 

(4) Using the definition of relative complementation and (j2.9p . we calculate 

maxa |a) = (1 — |a))|a) = l\a) — \a)\a) = \a)l — \a)\a) < |a)(l — \a)) = \a) max^. 

(5) The proof is similar to that of (4), but uses the regular identity aa* = a*a in the third 
step. 

maxa \a)* = (1 - \a))\a)* = l\a)* - \a)\a)* 

= \a)*l — \a)*\a) < \a)*{l — \a)) = \a)* max^. 

(6) Immediate from (1). 

(7) The first claim is immediate from the definitions. Next, -idom a a < by (fdiaTI) (set 
p = 1 and q = dom a = \a)l). Finally, by star unfold, 

ma* = m(l + aa*) = m + maa* = m + Oa* = m + {) = m. 
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(8) This follows from (3), 1 < a* and antitony of max. □ 

Property (7) is used in the discussion of normalisation in Section [9l It means that 
maxa 1 represents the states from which no a-transitions are possible, that is, the normal 
forms under the transition system represented by a. Lemma 14.51 is useful for proving some 
standard properties of Noetherian elements. 

Lemma 4.6. Assume a modal semiring S. 

(1) Zero is the only Noetherian test. 

(2) If a sum is Noetherian then so are its summands. 

(3) Noetherity is downward closed. 

(4) If S is a modal Kleene algebra then an element is Noetherian iff its transitive closure 
is. 

Proof. Let a,b & S and p,q £ test(S'). 

(1) It follows immediately from Lemma I4.5l f2) that is Noetherian. 

For the converse direction, let p ^ 0. By (12. 4p and idempotence of tests we have 
\p)p = pp = P- In particular, p < \p)p, that is, p is a (post-)fixpoint of \p) different from 
0. Hence p is not Noetherian by Corollary 14.3( 2). 

(2) Immediate from Lemma l4.5f 1). 

(3) Immediate from (2). 

(4) By (3) and a < a"*", Noetherity of implies that of a. 

Let, conversely, a be Noetherian and assume that max^+p < 0. Then, by definition of 
max, shunting, isotony of \a*) and the regular identities a*a^ = a'^a* = aa*a* = aa* , 
we obtain 

max^+ p < <^ p — |a+)p < p < \a^)p 

=^ \a*)p < |a*)|a+)p <^ \a*)p < \a)\a*)p, 

that is, that \a)*p is expanded by \a). Hence Noetherity of a implies \a)*p < and 
therefore p < 0, since p < \a)*p. □ 

Lemma 14.6( 1) implies that 1 is not Noetherian. The Noetherian relations {(1,2)} and 
{(2,1)} show that the converse direction of Lemma |4.6( 2) does not hold; the wellfounded 
union theorem in Section [10] presents conditions that enforce this converse implication. 
Lemma [4.6f 3) implies that Noetherian elements must be irreflexive. Finally, if a non-trivial 
test is below an element then this element cannot be Noetherian. In particular, a* is not 
Noetherian since 1 < a* . 

5. Termination via Lob's Formula 

We now investigate two alternative equational characterisations of termination. The first 
one involves the transitive closure whereas the second one does not and hence works only 
for elements with transitive diamonds. 

Definition 5.1. An element a of a modal semiring is diamond-transitive or d-transitive if 
\a)\a) < \a). 

Obviously, transitivity implies d-transitivity, but not vice versa. Consider, for instance, 
the path semiring consisting of sets of node sequences in a graph under union and path 
concatenation via a common intermediate node (also known as fusion product). In this 



12 



J. DESHARNAIS, B. MOLLER, AND G. STRUTH 



case the natural order is set inclusion. Tests are sets of nodes (each represented as a 
sequence of length one). For such a set p, the forward diamond \a)p yields the inverse 
image of p under a, that is, the set of all nodes from which an a-path leads to some node 
of p. Now let n be an arbitrary node and let a consist just of the single path {n,n). Then 
a - a = {{n,n,n)} ^ a, so that a is not transitive. But 



In an extensional modal semiring, d-transitivity implies transitivity. Obviously, path 
semirings are not extensional. 

We now come to Lob's formula □(□p p) ^ Op from modal logic (cf. [5])- It expresses 
wellfoundedness of transitive Kripke frames. To represent this formula algebraically, we first 
pass to a multi- modal view. We replace □ by \a] and then dualise the box, by De Morgan's 
laws, to a form involving diamonds; in particular, the subformula \a]p — )> p turns into 
p — \a)p = maxap. Finally, the main implication is replaced by the natural order on tests. 
This gives rise to the following notions. 

Definition 5.3. An element a of a modal Kleene algebra is 

(1) pre-Lobian if \a) < \a)^ maxa; 

(2) Lobian if \a) < \a) maxa. 

When a is pre-Lobian, every state from which there is an a-step into a state set p 
admits a sequence of a-steps that leads into some a-maximal state of p. Let us see that this 
implies Noetherity of a. Suppose that a admits an infinite sequence of transitions. Let p 
represent the set of all states in such a sequence. Then every state in p admits an a-step 
into p, while maXaP = 0, which is a contradiction. Below we will show that, conversely, also 
all Noetherian elements are pre-Lobian. 

Of course, every Lobian element of a modal Kleene algebra is pre-Lobian. For the 
converse direction we have the following result. 

Lemma 5.4. A d-transitive element of a modal semiring is Lobian iff it is pre-Lobian. 

Proof. By Proposition 13.71 and standard properties of transitive closure, the diamond of a 
d-transitive element is its own transitive closure. □ 

The next statements relate Lobian and Noetherian elements. 

Theorem 5.5. An element of a modal Kleene algebra is Noetherian iff it is pre-Lobian. 

Proof. Consider a modal Kleene algebra S and a S. Set / = \a) and g = max^ = 1 — /. 
(<^=) Let a be pre-Lobian, which is equivalent to f — f'^g < 0. Let g{p) < 0, that is, p < f{p). 
We must show that p <0. We calculate 




so that \a)\a) < \a) and a is d-transitive. 

Definition 5.2. A modal semiring S is extensional if, for all a, 6 G S*, 



\a) <\b) ^a<b. 
Equivalently, S is extensional if, for all a, 6 G S", 

\a) = \b) ^ a = b. 



P < f{p) = f{p) - /+(0) = f{p) - f+{9{p)) < 0. 
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The second step uses strictness of diamonds. The third step uses the assumption on g. The 
fourth step uses the assumption that a is pre-Lobian. 

(=^^) Let a be Noetherian. This imphes that a is pre-Lobian if we can show that / — f~^g < 
fif — f^g)- We calculate 

f-f^9 = f-frg 



</(l- 


rg) 


= /(l- 




= /(l- 


{g + f^g)) 


= /((!- 


-g)-f^g) 


</(/- 


f^g). 



The first step uses the definition of f~^. The second step uses the identity (12.9p . The fifth 
step uses the Boolean identity p— {q+r) = {p—q) — r. The last step uses isotony and the fact 
that l — g = 1 — (1 — /) < /. This follows from the Boolean identities p—{p — q) = pq < 9- D 

Corollary 5.6. A d-transitive element of a modal semiring is Noetherian iff it is Lobian. 

Proof. This is immediate from Theorem 15.51 and Lemma [5.4[ As in that lemma, the required 
transitive closures exist in the operator semiring by the assumption of d-transitivity. □ 

Let us discuss the intuition behind the proofs of Theorem 15.51 and Corollary 15.61 If a is 
pre-Lobian, then \a) — \a)~^ maxa < 0. For a given p, the application (|a) — |a)+ maxa)(p) of 
the left-hand side of this identity to a set p denotes the set of all states that admit a-steps 
leading outside the basin of attraction for termination in p. Now if p had no a-maximal 
elements then every a-step would lead outside the (empty) basin of attraction, unless p 
itself were empty. The first part of the proof of Theorem 15.51 formalises this argument. 

Now let a be Noetherian and assume that the set of states from which a-steps lead 
outside the basin of attraction is non-empty, that is, a is not pre-Lobian. By Noetherity, 
this set has an a-maximal element: a contradiction. This motivates the second part of the 
proof. 

The general algebraic connection between Noetherity and Lob's formula is not novel. 
Goldblatt |15] has given a similar calculational proof in the more general setting of Boolean 
algebras with operators. In fact, inspection of the proof of Theorem 15.51 shows that no 
further properties of modal Kleene algebra are needed. Given a strict additive f : B ^ B 
on a Boolean algebra B, Goldblatt defines the transitive closure f~^ of / by the identities 

= + - f{p) < f^{f{p)-p)- 

While the first identity follows immediately from the operator-level unfold law 1 + //* = /* 
and the definition of in Kleene algebra (Definition [33])), the second identity follows from 
the induction axiom of propositional dynamic logic ()3.2p written as /* — 1 </*(/ — 1). 

A main contribution of this section is to show that Goldblatt 's proof can be adapted 
to Kleene algebra. 

The relation between Lob's formula and Noetherity, as expressed in Corollary 15.61 is 
interesting for the correspondence theory of modal logic. While the traditional proof of 
the correspondence uses model-theoretic semantic arguments based on infinite chains, the 
algebraic proof is entirely calculational and avoids infinity. This is quite beneficial for 
mechanisation. 
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6. Termination via Absence of Infinite Iteration 

Cohen has extended Kleene algebra with an operator for infinite iteration [7] and presented 
applications of this omega algebra in concurrency control. His approach has been adapted 
to reasoning about program refinement in [35] . Omega algebra has also been used for 
proving theorems about rewriting systems that depend on termination |3H [32] . This section 
compares the notion of Noetherity induced by infinite iteration with the standard one. It 
turns out that the former can behave in rather undesirable ways. Section [7] presents an 
alternative approach that still is very similar to omega algebra, but captures the standard 
notion. 

The omega operator is defined, dually to the Kleene star, as a greatest post-fixpoint. 

Definition 6.1. An uj-algehra is a structure (5, w) such that 5 is a Kleene algebra and, for 
all a,b,c £ S, the omega operator ^ : S ^ S satisfies the unfold axiom and the co-induction 
axiom 

a"^ < aa"^, c<ac + b^c<a'^ + a*b. 

Thus, a'^ = vx.ax is a greatest fixpoint; therefore oj is isotone with respect to the natural 
ordering. The Kleene algebra REL(M) of relations can be extended to an w-algebra in the 
standard way (see, for example, [27]). 

The natural notion of termination for tj-algebra is of course absence of infinite iteration. 

Definition 6.2. An element a of an w-algebra is uj-Noetherian if < 0. 

Like in Section [2] for the Kleene star, it seems interesting to lift the axioms of (^-algebra 
to the operator level. This is very simple for the unfold axiom. The lifting of the induction 
axiom of Kleene algebra uses the demodalisation axiom (jdiaip to eliminate a diamond from 
the left-hand side of an identity. In the co-induction axiom of w-algebra, however, the 
diamond of interest occurs at a right-hand side and there is no law like demodalisation to 
handle it. Therefore, the lifting seems to require additional assumptions. 

Lemma 6.3. The diamonds over an extensional modal uo-algehra form an uo-algehra. 

Proof. We show that \a)^ = \a^) satisfies the unfold and co- induction axiom of w-algebra. 

For the unfold axiom, \a)^ = \a^) < \aa'^) = \a)\a'^) = |a)|a)^, by isotony of diamonds. 

For the co- induction axiom, assume |c) < |a)|c) -|- |6) = |ac -|- 6), whence c < ac + h 
by extensionality. Then c < + a*b follows from the co-induction axiom and therefore 
\c) <\a'^) + \a*h) = |a)'^ -|- \a)*\h) by isotony of diamonds. □ 

The following lemma compares Noetherity and w-Noetherity. In particular, it shows 
that their interrelation does not depend on extensionality of the modal semiring. 

Lemma 6.4. Over modal oj-algebras we have the following results. 

(1) Noetherian elements are u-Noetherian. 

(2) uj-Noetherian elements can, hut need not he, Noetherian, 

(3) not even if extensionality is assumed. 

Proof. (1) Let a be Noetherian. Then \a^) < \a)\a^) implies that \a^)p < for all tests p. 
Setting p = 1 and g = in (Idialj) shows < 0. 

(2) In the w-algebra LAN{Ti) of languages of finite words, a'^ = if 1 □ a < 0, but also 
1 = |a)l, whenever a 7^ 0. Thus every a satisfying these conditions is w-Noetherian, but 
not Noetherian. Moreover, is w-Noetherian and Noetherian. 
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(3) Consider the standard ordering < on N and let S consist of all subrelations of < 
under the usual relational operations. In particular, the identity relation 1 = Jp^ is the 
multiplicative unit. Since S forms a complete lattice and the defining functions of a* and 
are isotone, the star and omega operators exist for all elements by the Knaster-Tarski 
theorem, and the structure is an w-algebra. Also, as a relational structure, it is extensional. 
Now the successor function a on N is an element of S and cr'^ = i^x .a ■ x. Thus we must 
solve the identity x = a ■ x. Obviously, the empty set is the only solution, since every 
solution of this identity must also be a solution oi x = a'' ■ x for all A; G N. But for each 
pair m < n there is a unique z € N such that (m, n) € cr*, so that choosing k > i shows that 
(m, n) cannot be a member of any solution. Therefore = and cr is w-Noetherian. 

However, o" is a total function on N and therefore \a)l = dom a = 1 ^ 0. Consequently, 
maX(jl = 1 — |(t)1 = 0, but 1 7^ 0, that is, a is not Noetherian. □ 

This lemma is a first indication that Noetherity characterises nontermination more 
precisely than cj-Noetherity. A more thorough discussion is provided in the next section. 

7. Termination via Absence of Divergence 

We now introduce an alternative view of infinite iteration on a test algebra that handles 
the problems with w-algebra. It seems interesting for modelling the dynamics of infinite 
processes and reactive systems in general. 

Definition 7.1. Let 5 be a modal semiring and a G S. 

(1) A test Va G 1651(5") is called the divergence of a if it satisfies, for all a G S" and 
p G test(S'), the unfold axiom and the co-induction axiom 

Va < |a)Va, p < \a)p =^ p < Va. 

(2) When Va exists, we call a convergent if Va = and divergent otherwise. 

(3) (5*, V) is a divergence semiring (V-semiring) if Va exists for all a G S. 

(4) (S, V) is a divergence Kleene algebra (V-Kleene algebra) if it is a divergence semiring 
and 5" is a Kleene algebra. 

(5) (S, V) is a divergence u-algebra (V-tJ-algebra) if it is a divergence semiring and S is an 
a;-algebra. 

The above axioms characterise Va uniquely as the greatest fixpoint of \a). As a unary 
operator, V always binds most strongly. 

Similar axioms have been used in |15j for defining mono-modal foundational algebras. 

Since \a)p = -^\a]^p, existence of Va also implies existence of the least fixpoint -iVa of 
I a]; this is the halting predicate of the modal //-calculus (cf. [16]) which represents the set 
of states from which no infinite a-computations emanate. Since this will play a role in later 
examples, we introduce a separate operator for it. 

Definition 7.2. We call the test Aa = -iVa = /i|a] the convergence of a. 

V-Kleene algebras behave similarly to w-algebras. 

Lemma 7.3. Let S be a V-Kleene algebra, let a £ S andp, q G test(5). The V -co-induction 
axiom is equivalent to 

p <\a)p + q^ p <Va+\a*)q. (7.1) 
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Proof. Assume the co-induction axiom and p < \a)p + q, that is, that p is expanded by 
the function Xx.\a)x + q. By Lemma I4.4f 2). i'x.\a)x + q = \(i*)q + i^\a), and therefore also 
P < + ^Id-) = \0'*)q + Va, as claimed. 

Conversely, setting g = in (|7.ip yields the co-induction axiom. □ 

The law ()7.ip is often more suitable for computations than the co-induction axiom. 
Existence of divergences can be guaranteed under additional assumptions. 

Lemma 7.4. Every modal semiring with complete test algebra is a V -semiring. Every 
modal Kleene algebra with complete test algebra is a V -Kleene algebra. 

Proof. For every element a of a modal semiring with complete test algebra, \a) is isotone 
and hence, by the Knaster-Tarski theorem, has a greatest fixpoint that satisfies the axioms 
of Definition 17. 11 The claim about modal Kleene algebras follows from the one about modal 
semirings and the definitions. □ 

The co-induction axiom for V-semirings comprises Noetherity as a special case. 
Lemma 7.5. 

(1) Every Noetherian element of a modal semiring converges. 

(2) Every convergent element of a V -semiring is Noetherian. 

Thus, for Noetherian elements we can do without divergence and hence without the 
presuppositions for its existence, such as completeness of the test algebra. This is important 
for our applications in Section [TOl 

The following statement shows that the situation for oj-Noetherian elements is different; 
it is a corollary to Lemma 16.41 (the language counterexample) and Lemma 17.51 

Corollary 7.6. u- Noetherian elements of divergence uj-algebras may be divergent. 

Therefore divergence, which corresponds to the standard notion of Noetherity, provides 
a more refined view of termination than w-Noetherity: the divergence characterises those 
states from which infinite paths can emanate, while omega iteration tells whether the algebra 
can represent these infinite paths in some way. 

Let us illustrate this with the examples from the proof of Lemma 16.41 In the language 
semiring LAN{Ti) all elements a 7^ with a □ 1 = are non-Noetherian but w-Noetherian. 
The distinction vanishes in the encompassing algebra of languages over finite and infinite 
words, since it explicitly contains the infinite words as limits of iterated compositions of 
non-empty finite words. In the algebra of relations presented in the proof of Lemma [6.4r 3). 
the successor relation o" on N was shown to be non-Noetherian but w-Noetherian. This is 
caused by the restriction to relations that are subrelations of the standard order < on N. 
The analysis there shows that in a relation a satisfying a < aa the inverse image of every 
number needs to be closed under cr* = <, which is not possible for subrelations of <. In 
the encompassing full relation algebra REL(N) over N, however, such relations do exist; in 
particular, there is the universal relation. 

We now give a sufficient criterion for the coincidence of cj-Noetherity and Noetherity. 
It uses the fact that in each w-algebra 1^ is the greatest element. This follows from setting 
a = 1 and 6 = in the co- induction axiom. We define T = 1'^. In particular, dom T = 1 
since dom 1 = 1 and dom is isotone. 

Lemma 7.7. Let S be an u-algebra. 
(1) dom < Va holds for all a £ S. 
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(2) Va . aT = (doma)T =^ Va.Va < doma'^, that is, under this assumption oj-Noetherity 
and Noetherity coincide. 

Proof. 

(1) By isotony of diamonds and the unfold law of Lj-algebra, \a^) < \a)\a'^). This matches 
the antecedent of the V-co-induction axiom. The claim then follows by modus ponens. 

(2) First note that every test p satisfies 

dom(pT) = dom(pdom T) = dom(pl) = domp = p. (f) 

Now, by V-unfold and the assumption, 

VaT < (|a)Va)T = dom (aVa)T = aVaT. 

Therefore VaT < by w-coinduction, and the claim follows by ([f]) and isotony of 
domain. □ 

The premise Va.aT = (dom a)T of (2) is equivalent to the explicit domain representation 

dom a = aT □ 1, 

which holds in relation algebras but not in the relational structure defined in the proof of 
Lemma l6. 4( 3). The equivalence is shown as follows. Assume Va.aT = (doma)T. We use 
the fact j22j that for p € test(S') and arbitrary element b we have pb = pT □ b (even if the 
semiring S does not have a general meet operation). Now we obtain 

aT n 1 = (dom a)T □ 1 = (dom a)l = dom a. 

Assume conversely dom a = aT □ 1. Subdistributivity of meet and the fact that T is the 
greatest element then yield 

(dom a)T = (aT n 1)T < aTT = aT. 

Section [10] provides examples where proofs can faithfully be translated from w-algebra to 
V-Kleene algebra. And even beyond termination analysis, V-Kleene algebras are interesting 
for modelling infinite behaviour of programs, transition systems and reactive systems. Let 
us give two examples. 

Example 7.8. As mentioned before, the forward box is an algebraic counterpart of the 
weakest liberal precondition operator wip that is used in the partial correctness semantics 
of imperative programs. Algebraically, programs are just state transitions, that is, elements 
of a (modal) Kleene algebra. The conditional and the while loop are then expressed as (see, 
for example, pO] ) 

if p then a else b = pa + ^pb, 
while p do a = {pa)*^p, 
while validity of Hoare triples can be defined by 

h {p} a {q} <^p < \a]q <^ p < wlp(a)(g'). 

This has been used in [24] to give purely algebraic proofs of soundness and relative com- 
pleteness for the calculus of Hoare triples. 

The theory can be extended to total and general correctness by passing to commands 
of the form {a,p) where a is an arbitrary semiring element that models transitions and p is a 
test that represents the states from which termination is guaranteed (see, for example, |26j 
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for an approach based on predicate logic). Then the weakest precondition operator wp can 
be defined as 

wp(a,p)(g) =p-\N\p{a){q). 
In [25] it has been shown that the set of commands can be made into another modal semiring 
in which the forward box expresses the wp operator. It turns out that the above-mentioned 
soundness and completeness proofs apply to the algebra of commands as well and yield a 
sound and relatively complete Hoare calculus for total correctness. Its rule for the do-od 
loop, a generalisation of the while loop, reads, for command k and test p, 

{p} k {p} 

{Ak -p} dok od {p ■ -.grd k} 

where grd k, the guard of k, coincides with dom k (which is determined by the a component 
of k) and the convergence A k from Definition 17.21 represents the set of states from where 
iteration of k cannot lead to an infinite computation. For details we refer to [25]. □ 

Example 7.9. In [23j, the class of Boolean quantales, which can conservatively be extended 
into modal cj and V-algebras by the explicit definitions = vx.ax and Va = vp . |a)p, 
has been used to give algebraic semantics for the temporal logics CTL, CTL* and LTL. The 
starting point is a straightforward translation of the standard semantics of CTL* in terms of 
states and computation paths into algebraic terms. Again, tests represent sets of states while 
semiring elements now represent sets of paths. Every CTL* formula ip is then interpreted by 
a semiring element \{p\. A simplified semantics for the sublogic CTL is obtained as follows. 
Structural induction shows that for every CTL formula ip the CTL* semantics has the form 
\ipj\ = pT for some test p. This algebraically reflects the fact that CTL formulas are state 
formulas corresponding to sets of states rather than sets of paths; the element p~T represents 
the set of all paths that start in the set p. The simplified semantics is then extracted by 
setting \'p\d = dom \ip\] this returns a test, that is, an abstract representation of a set of 
states. The algebraic background is that dom (pT) = p for a test p. Now the convergence 
operator enters the play, since it turns out that the always-finally operator has the simplified 
semantics 

where p = fv^Jrf, and a is the element that generates the computation paths; it can be 
thought of as a set of paths of length two that corresponds to a transition relation. For 
details we refer to [23]. □ 

8. Basic Divergence Calculus 

The unfold and co-induction axioms of V-Kleene algebras lead to properties that are anal- 
ogous to those of oj-algebras. However, because of the different axiomatisations, we cannot 
transfer them without proof. Here we collect only some properties that are needed in a 
later section. 

Lemma 8.1. Let S he a XZ-Kleene algebra and let a, 6 € 5. 

(1) VO = and VI = 1, 

(2) Va = \a)Va, 

(3) Va = |a)* Va, 

(4) a < 6 ^ Va < Vb, 
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(5) Va = V(a+), 

(6) V(a + b) = V{a*b) + \a*b)* Va, 

(7) |6*)(V(6*a)) = V{b*a). 

Proof. 

(1) The first property follows by V-unfold, the second one by V-co-induction. 

(2) (<) is just the unfold axiom. (>) reduces, by co-induction, to |a)Va < \a)\a)'Va, which 
follows from the unfold axiom and isotony. 

(3) (<) follows from the regular identity 1 < a* and isotony. (>) reduces, by the unfold 
axiom, to |a*)Va < |a)|a*)Va. But |a*)Va = |a*)|a)Va = |a)|a*)Va holds by ([2]) and 
the regular identity aa* = a* a. 

(4) Let a < b. For Va < Vb it suffices, by co-induction, to show that Va < |6)Va. But 
Va < |a)Va < |6)Va holds by unfold and isotony. 

(5) (<) follows from isotony of V ([4]) and the regular identity a < . (>) reduces, by 
co-induction, to V(a"'") < |a)V(a~'^). We calculate 

V(a+) < |a+)V(a+) = |a)|a*)V(a+) = |a)|(a+)*)V(a+) = |a)V(a+). 

The third step follows by the regular identity a* = {a'^)* . The last step uses ([3]). 

(6) (<) reduces, by co-induction ( variant (I7.ip ). to 

V(a + 6) < Va + \a*b)V{a + b) = Va+ |a*)(|6)V(a + b)), 

which, again by co- induction (jT.ip . reduces to 

V(a + b) < |a)V(a + b) + \b)V{a + b) = \a + 6)V(a + b). 

But this holds by the unfold axiom. 
(>) We calculate 

V(a*6) + j(a*6))*Va = V(a*6) + |(a*6)*)Va 

< V((a + 6)+) + j(a + 6)*)V(a + 6) 

= V(a + 6) + V(a + 6) 

= V(a + 6). 

The first step follows from the regular identities a*b < (a + 6)+ and (a* 6)* < {a + b)* 
and isotony. The second step follows from ([5]) and 

(7) We calculate 

V(6*a) = \b*a)V{b*a) = \b*)\b*a)V{b*a) = \b*)V{b*a). 
The first and last steps use ([2]). The second step uses the regular identity 6*6* = 6*. □ 

9. Termination via Normalisation 

After this introduction to the divergence calculus, we now resume the connection between 
semiring elements and transition systems. Remember from Lemma 14.5( 7) that, for tran- 
sition system a, the test maxal = -idem a can be viewed as an abstract representation of 
the normal forms with respect to a-transitions, that is, the states from which no (further) 
a-transitions are possible. The process of normalisation, that is, repeated a-transitions until 
a normal form has been reached (if there is one) is then described by the following notion. 
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Definition 9.1. The normaliser of an element a of a modal Kleene algebra is 

nml a = a* (maxa 1) = a* -idem a. 

In the relation semiring, nml a relates every element to the set of its normal forms under 
iterated a-transitions (if any). From the definition we immediately obtain the following 
special cases. 

Corollary 9.2. nml = 1 and dom a = 1 ^ nml a = 0. 

The first of these expressions means that if there are no transitions, then every state 
is a normal form, but one that is related only to itself. The second one means that a total 
transition element has no normal forms at all, and hence no element can be related to a 
normal form. 

Another property is that normalisers are multiplicatively idempotent. 
Lemma 9.3. (nml a)(nml a) = nml a. 

Proof. We calculate, using Lemma l4.5( 7) and the multiplicative idempotence of tests, 

a* (maxa 1) a* (max^ 1) = a* (max^ 1) (max^ 1) = a* (maxa 1). □ 

Next, Noetherity implies that normal forms exist for all domain elements. 

Lemma 9.4. For every Noetherian element a of a modal Kleene algebra, dom nml a = 1. 

Proof. By Theorem 15.51 a is pre-Lobian. Now we calculate, using that by definition always 
dom a < 1, and setting m = max^ 1 = -idom a, 

dom nml a = dom(a*m) = \a*)m = |1 + a~^)m = m + |a''")(maxa 1) 
> ?n + |a)l = -idom a + dom a = 1. 

The decisive step is the inequality; it uses the defining property of pre-Lobian elements from 
Definition (mi). □ 

The converse of this statement does not hold. 

Example 9.5. Consider the relation semiring over a two-element set {A, B} and let a = 
{{A,A),{A,B)}. Then nml a = {{A, B) , {B , B)} and dom nml a = {{A, A) , {B , B)} = 1. 
But {(^4, ^)} C a is not Noetherian and therefore, by Lemma I4.6r 3). neither is o. □ 

The following example relates normalisation and tj-Noetherity. 

Example 9.6. The algebra LAN(S) of formal languages is both an w-algebra and a modal 
Kleene algebra with test set {0,1}. We have already shown that \a)l = dom a = 1 7^ 
when a 7^ 0. Hence an element a is Noetherian iff a = 0. Moreover, distinguishing the 
cases a = and a 7^ 0, Corollarv 19.21 shows that nmlo = -idom a = max^ 1 (and hence 
also dom nml a = -idom a). This expresses the fact that, by totality of concatenation, a 
non-empty language can be iterated indefinitely without reaching a normal form. But we 
also have = whenever 1 □ a = 0. Therefore, = does not imply that dom nml a = 1, 
while Va = still implies this fact. □ 
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Again, this shows that (^-algebra models nontermination less finely than the notions of 
Noetherity or divergence. 

10. Additivity OF Termination 

We now turn to transition systems induced by term rewriting or reduction rules. Abstract 
reduction is that part of rewriting theory that disregards the term structure. It is essentially 
relational. Many statements of abstract reduction that depend on termination can be proved 
in w-algebra |31l I32j . among them a variant of the wellfounded union theorem of Bachmair 
and Dershowitz [2j. Since we have seen that termination is characterised in w-algebra 
less sharply than in V-Kleene algebra, it is interesting and important to reconsider that 
proof. We will see that our new proofs again yield precise reconstructions of the standard 
diagrammatic argument. Thus modal Kleene algebra also admits an algebraic semantics 
for abstract reduction systems. 

The connection between Kleene algebra and rewriting is as follows. An abstract re- 
duction system (cf. [34]) is simply a set endowed with a family of binary relations. The 
operations on relations considered in rewriting are composition, union, conversion and sym- 
metric, transitive and reflexive transitive closure. Therefore, properties of abstract rewrite 
systems can be expressed in modal Kleene algebra (conversion is obtained via the backward 
modal operators). 

Definition 10.1. Let be a Kleene algebra and let a,b (z S. 

(1) a locally semi- commutes over 5 if 6a < a"*" 6*. 

(2) a semi-commutes over b if b*a < a^b* . 

(3) a quasi- commutes over 5 if 6a < a(a + 6)*. 

Semi-commutation and quasi-commutation state conditions for shifting certain steps to 
the left of others. In general, sequences of a-steps and 6-steps can be split into a "good" 
part with all a-steps occurring to the left of 6-steps and into a "bad" part in which both 
kinds of steps are mixed. 

For working with V-Kleene algebras, we lift these properties to the operator level. As 
in Section [5] for transitivity, we introduce notions of diamond-commutation. 

Definition 10.2. We say that a locally d- semi- commutes over b if |6)|a) < |a)"'~|6)*, and 
likewise for the other notions. 

Again, the d-commutation properties are more general than the respective commutation 
properties; they are equivalent when the modal Kleene algebra is extensional. To avoid 
extensionality we will henceforth base our statements and proofs on d-commutation. 

But first, we mention two auxiliary properties used to relate semi-commutation and 
quasi-commutation. The first one has been shown in [32], the second one lifts corresponding 
properties in |19j . 

Lemma 10.3. 

(1) For all elements a and b of a Kleene algebra, 

(a + b)* = a*b* + a*b+a{a + by. (10.1) 

(2) For all a, 6 and c of a modal Kleene algebra, 

\ba) <\ac}, ^\b)*\a) <\a)\c)\ |6a) < |ac) ^ j6)+|a) < |a)|c) + . (10.2) 
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The following lemma relates semi-commutation and quasi-commutation. A proof in uj- 
algebra has been given in [32]. Here, we show that it translates to modal Kleene algebra. 
Remember that, by Lemma l7.5r i). we can freely use the calculus of V-Kleene algebra for 
Noetherian elements already in modal Kleene algebra. 

Lemma 10.4. Let S be a modal Kleene algebra and let a,b (z S with a Noetherian. The 
following properties are equivalent. 

(1) a locally d- semi- commutes over b. 

(2) a d- semi- commutes over b. 

(3) a d- quasi- commutes over b. 

Proof. We only show equivalence between local semi-commutation and quasi-commutation. 
The proof for semi-commutation is similar. We set f = \a) and g = \b). 

Let a locally d-semi-commute over b. By pure Kleene algebra and without any Noether- 
ity assumptions, gf < f+g* = ff*g* < f{f + g)* . 

Let now a d-quasi-commute over b. First, as in [32], we show that h = f{f+g)* satisfies 
h<f+ig* + h): 

fif + g)* = f{r9* + r9^f{f + 9Y) bydml) 

= f^{9* +9^f{f + 9)*) distributivity and def. /+ 

< f^{g* + /(/ + 9)*~^{f + g)*) by assumed d-quasi-commutation 

and (fT0:2]) 

< f^{9* + f{f + 9)*) regular identity c*+c* < c*. 
The above identity written point- wise means that, for all p G test(S'), 

%)</+(%)) + 

Modulo \a)^ = ja"*"), this matches the left-hand side of the co- induction rule ()7.ip of V- 
Kleene algebra for V(a'^). Since a is Noetherian, so is a"*" by Lemma 14.6( 4). Therefore 
V(a"'") exists by Lemma l7.5r i). namely V(a~'") = 0. Hence 

9{f{p)) < Hp) < V(g+) + {f+nf+{9*{p))) = f+{9*{p)), 
as required, where the first step uses the assumption of d-quasi-commutation. □ 

The proof of Lemma 110.41 simulates a previous one in a;-algebra. In [32] it has been 
argued that the latter formally reconstructs the previous diagrammatic proof from [30] . 
Therefore the new proof shares this property. However, our other formal notions of Noether- 
ity provide the flexibility to use different techniques, when necessary. An alternative proof 
that uses Noetherity directly is given in [9]. 

Lemma 10.5. Let S be a divergence Kleene algebra. Let a,b G S and let a d-quasi-commute 
over b. Then Noetherity of a implies Noetherity of b*a. 

Proof. From Lemma l7.5l fT]) we know that Noetherity of a implies convergence of a. We 
now show that convergence of a implies convergence of b*a. Suppose Va < 0. From the 
quasi-commutation assumption and Lemma 110.41 we infer \b*a) < \a~^b*). Therefore, by 
Lemma l8. 1( 2) and Lemma l8. 1( 7). 

V(6*a) = \b*a)V{b*a) < |a+6*)V(6*o) = \a^)V{b*a). 

Now V(6*a) < |a~^)V(6*a) implies V{b*a) < V(a"*") by co-induction, from which the claim 
V(6*a) < follows by Lemma [8.1( 5) and Noetherity of a. By Lemma [7.5( 2) convergence of 
b*a implies Noetherity of b*a and we are done. □ 
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Lemma [10.51 generalises Lemma 2 of [2]. Again, its proof simulates an earlier calculation 
in cj-algebra and directly corresponds to a diagrammatic proof |13l I32j . 

We now generalise the quasi-commutation theorem of Bachmair and Dershowitz (The- 
orem 1 of [2]). 

Theorem 10.6. Let S be a divergence Kleene algebra. Let a,b G S be such that a d-quasi- 
commutes over b. Then a + b is Noetherian iff a and b are Noetherian: 

V(a + < ^ Va + V6 < 0. 

Proof. By Lemma [4.6l f2). Noetherity of a sum is inherited by its summands. So it remains to 
show the converse direction. Let Va + V6 < 0. First, denesting V(a+6) using Lemma [8.1l f6) 
yields 

V(a + b) = V(5*a) + \b*a)* V6. 
Now V(6*a) vanishes by Lemma |10.5| using the assumption of d-quasi-commutation and 
Noetherity of a, and |6*a)*V6 vanishes by Noetherity of b and strictness of diamonds. Thus 
also V(a + b) <0. □ 

These results show that proofs for abstract reduction systems in modal Kleene algebra 
are as simple as those in a;-algebra. The original proofs in [2] are rather informal, while 
also previous diagrammatic proofs (see, for example, [30]) suppress many steps. Contrarily, 
the algebraic proofs are complete, formal and still simple. An extensive discussion of the 
relationship between the proofs in w-algebra and their diagrammatic counterparts can be 
found in |13[ I32|. In particular, the algebraic proofs mirror precisely the diagrammatic ones 
and follow essentially the line of reasoning from [2]. While this also holds for the modal 
proofs, it is not true for a relational proof of a similar, but somewhat more general theorem 
in [12] that uses the weaker condition ba < a{a + b)* + b instead of quasi-commutation. 
a;-algebra has been used for proving further statements from concurrency control [7] and 
abstract rewriting [32] in a simple calculational way. We conjecture that they all translate 
to modal Kleene algebra. 



11. Newman's Lemma 

We now turn from quasi-commutation and semi-commutation to commutation and conflu- 
ence. In rewriting theory, the generalisation from confluence to commutation has led to a 
theory of term rewriting for non-symmetric transitive relations and pre-congruences that 
comprises the traditional equational case |291I30|. In particular, it introduces commutation- 
based variants of Church-Rosser theorems and of Newman's lemma. While the former can 
be proved in plain Kleene algebra [311 [32], it has been conjectured in [32] that a proof of 
Newman's lemma in pure w-algebra is impossible; that approach seems to cover only the 
regular fragment of abstract reduction, i.e, working at one end of a derivation expression, 
whereas proofs of Newman's lemma seem to require a context-free setting, since they also 
have to work in the interior of such expressions. 

We reconstruct a previous diagrammatic proof of a variant of Newman's lemma for non- 
symmetric rewriting in modal Kleene algebra. Independently, the same statement has been 
obtained by purely syntactic considerations in [12]. There, it has been proven in a relation 
algebra without complementation that is more expressive than the algebras considered here. 
A relation-algebraic proof of the equational variant of Newman's lemma (cf . [34] ) has been 
given in [27]. This proof, however, depends on normal forms which are not present in the 
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non-symmetric case. In general, the results from [29^ [30] show that confluence properties 
should be conceptually separated from such normal forms. 

A straightforward relational specification of commutation and confluence requires the 
operation of relational conversion, which is not present in Kleene algebra. In [12], residuals 
(or factors) are used as a restricted form of conversion. We simulate conversion in modal 
Kleene algebra by semiring opposition, that is, by switching between forward and backward 
modal operators. 

Definition 11.1. Let be a modal Kleene algebra and let a, 6 € S*. 

(1) a and b d-commute if (6*||a*) < \a*){b*\. 

(2) a and h locally d-commute if {b\\a) < \a*){b*\. 

(3) An element is (locally) d-confluent if it (locally) d-commutes with itself. 

As with transitivity and semi-commutation, the d-variants are strictly more general 
than the "classical" diamond-free ones (for example, in a semiring with a converse operation 
" such as the relation semiring, that a and b commute iff {b")*a* < a*(b")*). 

Alternatively, if forward and backward modal operators are not both available, com- 
mutation can be expressed by an algebraic variant of the Geach formula \b)\d] < \a]\c) from 
modal logic (cf. [6]). The equivalences 

\b)\d] < \a]\c) ^ {a\\b)\d] < \c) ^ {a\\b) < \c){d\ 

follow from the Galois and co-Galois connections. 

We now prove the following variant of Newman's lemma. 

Theorem 11.2. Let S be a modal Kleene algebra with complete test algebra. If a + b is 
Noetherian and a and b locally d-commute then a and b d-commute. 

Proof. We use dc{p,a,b) to express that two elements a and 5 d-commute when restricted 
to a set p of starting states: 

dc{p,a,b) ^ (5*1 (p) \a*) < \a*){b*\. 

The notation (p) indicates that, since p is a test, it does not matter whether we use the 
forward or backward diamond. Then a and b d-commute iff dc{l,a,b) holds. By isotony of 
diamonds, dc is downward closed in its first argument, that is, dc{p,a,b) and q <p imply 
dc{q,a,b). Moreover, by completeness of the test algebra, 

r = sup {p : dc{p, a, b)} 

exists. It represents the set of all states on which a and b d-commute. In particular, r 
itself satisfies dc{r,a,b). This holds since diamonds and, by (j2.ip . also meets in a Boolean 
algebra are completely additive. 

Together with downward closure of dc this implies that 

p < r ^ dc{jp,a,b). (H-l) 

We use the dual variant \a + b]q < q ^ 1 < q oi Noetherity of a -|- 6 to show that r = 1, 
which, by the above remark, establishes d-commutation. 
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To obtain a suitable sufficient condition, we calculate 

\a + b]r < r 4^ \/p.{p < \a + b]r ^ p < r) order theory 

^ yp.{{a + b\p < r ^ p < r) Galois connection (|2.2p 

^ yp.{{a\p < r A {b\p < r ^ p < r) additivity of diamonds 

and Boolean algebra 
^ yp.{dc{pa,a,b) A dc{pb,a,b) dc{p,a,b)) by (jll.ip . 

where, for x E {a,b}, px abbreviates {x\p = cod{px). 

So, assuming dc{pa, a, b) A dc{ph, a, 6), we must now show dc{p, a, b). By the star unfold 
law and distributivities, 

{b*\{p)\a*) < {b*\{p) + {b*\{b\{p)\a)\a*) + {p)\a*). 

The outer two of these summands are below |a*)(6*| by isotony of diamonds and Kleene 
algebra. For the middle summand we first show 

(p)|a) < \a){pa), {b\{p) < {pb){b\. (11.2) 

For the left identity, we calculate 

(p)|a) = \pa) = \pa cod (pa)) < \a cod{pa)) = \a){pa)- 

The proof of the right identity is dual. 

Now the main claim is shown by the following calculation. 

{b*\{b\{p)\a)\a*) < {b*\{pb){b\\a){pa)\a*) idempotence of {p), ([1X2]) twice 

and isotony of diamonds 

< {b*\{pb)\a*){b*\{pa)\a*) local d-commutation of a and 6 

< {b*\{pb)\a*)\a*){b*\ assumption dc(pa, a, 6) 

< {b*\{pb)\a*){b*\ regular identity c*c* = c* 

lifted to diamonds 

< |a*)(6*|(6*| assumption dc(p;,, a, 6) 

< \a*){b*\ above regular identity again. □ 



The last calculation in the proof can be visualised by the following diagram in which the 
bottom point is in p and the two points in the next higher layer are in pb and pa, respectively. 




We conclude by noting that the assumption of Noetherity of a + b cannot be weakened to 
separate Noetherity of a and b. 

Example 11.3 ([29]). Consider the following relations a and b. 



a 




b 

Relations a and b locally commute: 
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- (6||a){l} = (%){2} = 0. 

- (6||a){3} = {l}< {1,2,3} = |ar(6r{3}. 

- (6||a){4} = {2}<{2,3,4} = |a)*(6r{4}. 

- The remaining cases follow from the atomic ones by additivity. 

However, a and b do not commute, even though both are (separately) Noetherian: 

- {b\\a)\a){4} = {l}t{2,3A} = \ar{b\*{4}. 

a + 6 is not Noetherian: An infinite a + 6-chain alternates between 2 and 3. □ 



12. Confluence and Unique Normal Forms 

From the relational setting it is well known that confluence implies uniqueness of normal 
forms. This means that there the normaliser nml a = a* (maxa 1) (cf. Section[9]) is a (partial) 
function, that is, a deterministic relation. A relation a is a partial function iff a"a < 1 j27j . 
Again, this property can be abstracted to the level of modal operators. 

Definition 12.1. An element a of a modal semiring is d- deterministic if 

{a\\a) < 1, 

or, equivalently, if \a) < \a]. 

Of course, d-determinism is a special case of local d-confluence or d-commutation. It 
is immediate from the definition that every test is d-deterministic. The analogue to the 
above-mentioned relational property can be stated as follows. 

Lemma 12.2. The normaliser of a d-confluent element of a modal Kleene algebra is d- 
deterministic. 

pq < q for all 
(t) 



□ 

This statement is independent of termination properties. It has been added to further 
demonstrate the applicability of modal Kleene algebra in rewriting theory. 

Example 12.3. The relation a from Example 19.51 is confluent but not Noetherian and has 
the unique normal form B. The normaliser of a is deterministic, as stated in Lemma [12.2[ □ 



Proof. Set m = maxa 1 
tests p, q and hence 



-idem a. First, note that by ([27 
\p) = (Pl < 1- 



Then we calculate as follows. 

(nmla||nmla) = {a*m\\a*m) 

= {m\{a*\\a*)\m) 

< {m\\a*){a*\\m) 
= \m)\a*){a*\{m\ 
= \ma*){ma*\ 

= \m){m\ 

< 1 



def. nml 

by (dia2') 
confluence of a 

by (t) 

by (dia2') 
Lemma I4.5r 7) 

by (t). 
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13. Conclusion 

We have shown that modal semirings, modal Kleene algebras and divergence Kleene algebras 
are versatile tools for termination analysis, introducing and comparing different notions of 
termination and applying our techniques to examples from rewriting theory. All proofs are 
abstract, concise and calculational. A particular result of our analysis is a critique of an 
earlier approach to termination based on omega algebra. Together with previous work [3H 
[32], our case studies on rewriting, more precisely, on abstract reduction systems, show that 
parts of this theory can be reconstructed in modal Kleene algebra and divergence Kleene 
algebra. Due to its simplicity, the approach has considerable potential for mechanisation 
and automation. There are strong connections to automata-based decision procedures |24] . 

The proof of Newman's lemma and the associated diagram show that modal Kleene 
algebra allows induction in the interior part of an expression. This is not possible in pure 
Kleene algebra or omega algebra due to the shape of the star induction and omega co- 
induction axioms. Thus modal Kleene algebra supports "context-free" induction, whereas 
pure Kleene or omega algebra admits only its "regular" subcase. To achieve the same 
purpose, residuals are used in [12] to move the locus of induction from the interior of an 
expression to one of its ends and back. 

The results of the present paper contribute to establishing modal Kleene algebra as 
a formalism that enhances cross-theory reasoning between different calculi for program 
analysis. Moreover, our techniques have successfully been mechanised using off-the-shelf 
first-order automatic theorem provers. Case studies on this can be found, for instance, 
in |17j . Therefore the integration into formal methods like Alloy |18] . B [T] or Z [28] . and 
applications to the analysis of programs, protocols and reactive systems are within reach. 
We envision three lines for future research: 

• the investigation of discrete dynamical systems based on modal semirings, convergence 
and divergence; 

• the study of the free algebras and the development of decision procedures in this setting, 
based on those for Kleene algebras without modalities; 

• the application of the approach in the termination analysis of programs and the develop- 
ment of tools that support this analysis. 
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